Vendor Risk Management and the AICPA’s SOC 2: How Vendorpedia Helps


OneTrust Vendorpedia supports your organization with its SOC 2 audits by helping you maintain and demonstrate your security, availability, confidentiality, privacy, and processing integrity with respect to data and information in your systems. Additionally, the Global Risk Exchange lets you know which of your third-party vendors, suppliers, and processors have SOC 2 certifications.

What Are SOC 2 Reports and How Do They Impact
Vendor Risk Management?

The AICPA develops internationally recognized standards for audits. Perhaps the most well-known is the SOC 2 Trust Services Criteria, which outlines the requirements for SOC 2 audits and corresponding reports. The SOC 2 reports on controls relevant to security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports play an important role in establishing effective vendor risk management programs, maintaining organizational and regulatory oversight, and implementing corporate governance and risk management processes.

Identify Vendors That Have Active, In-Scope SOC 2 Reports

OneTrust Vendorpedia can help you identify which of your vendors have SOC 2 reports. Within the Global Risk Exchange, you can see granular product and service level details to identify which are in scope with a vendor’s SOC 2 report.

Assess Vendor Risks, Analyze Threats, and Monitor Changes

The AICPA Trust Services Criteria outline the Committee of Sponsoring Organizations of the Treadway Commission (COSO) principles that recommend identifying and analyzing risks posed by vendors, tracking changes that may introduce new risks, and implementing mitigation measures. OneTrust Vendorpedia streamlines vendor risk assessments to enable organizations like yours to keep an inventory of your vendors (and identify critical ones), perform rapid risk assessments, manage and mitigate risks, as well as monitor vendor changes with the Global Risk Exchange.

Confirm Vendor Commitments with Contract Term Tracking

SOC 2 reports look for vendor commitments relating to privacy, unauthorized data access, as well as incidents and breaches. With OneTrust Vendorpedia, track these commitments by extracting and reporting on key terms within contracts to meet these vendor risk controls.

Implement Automated Vendor Termination Procedures

SOC 2 audits will seek to identify that your organization has vendor termination procedures in place. OneTrust Vendorpedia automates the vendor termination process with built-in termination checklists and workflows, as well as assists with evidence collection and recordkeeping.

Is your organization working on obtaining its SOC 2
or tracking vendors with SOC 2s?

See How Vendorpedia Can Help

Effective Vendor Risk Management
to Meet SOC 2 Requirements with Vendorpedia

SOC 2 Research

Identify if your organization’s vendors have active SOC 2 reports, at a product and service level

Audit Trails

Maintain records of vendors, risks, and contracts to streamline SOC 2 audits with dashboards and detailed column reports

Risk Assessment Automation

Build workflows to assess vendor security and privacy risks that follow SOC 2 guidance to meet compliance obligations